Privacy Act of 1974; System of Records

Issuing agencies

Abstract

As required by the Privacy Act of 1974, notice is hereby given that the Department of Veterans Affairs (VA) is modifying the system of records entitled, "Gulf War Registry -VA" (93VA131) as set forth in the Federal Register. VA is amending the system of records by revising the System Number; System Location; System Manager; Authority for Maintenance of the System; Categories of Records in the System; Routine Uses of Records Maintained in the System; Policies and Practices for Storage of Records; Policies and Practices for Retention and Disposal of Records; Physical, Procedural and Administrative Safeguards; Record Access Procedures; and Notification Procedure. VA is republishing the system notice in its entirety.

Full Text

<html>
<head>
<title>Federal Register, Volume 86 Issue 180 (Tuesday, September 21, 2021)</title>
</head>
<body><pre>
[Federal Register Volume 86, Number 180 (Tuesday, September 21, 2021)]
[Notices]
[Pages 52546-52550]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2021-20361]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA), Veterans Health 
Administration.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: As required by the Privacy Act of 1974, notice is hereby given 
that the Department of Veterans Affairs (VA)

[[Page 52547]]

is modifying the system of records entitled, ``Gulf War Registry -VA'' 
(93VA131) as set forth in the Federal Register. VA is amending the 
system of records by revising the System Number; System Location; 
System Manager; Authority for Maintenance of the System; Categories of 
Records in the System; Routine Uses of Records Maintained in the 
System; Policies and Practices for Storage of Records; Policies and 
Practices for Retention and Disposal of Records; Physical, Procedural 
and Administrative Safeguards; Record Access Procedures; and 
Notification Procedure. VA is republishing the system notice in its 
entirety.

DATES: Comments on this amended system of records must be received no 
later than 30 days after date of publication in the Federal Register. 
If no public comment is received during the period allowed for comment 
or unless otherwise published in the Federal Register by the VA, the 
modified system of records will become effective a minimum of 30 days 
after date of publication in the Federal Register. If VA receives 
public comments, VA shall review the comments to determine whether any 
changes to the notice are necessary.

ADDRESSES: Comments may be submitted through <a href="http://www.Regulations.gov">www.Regulations.gov</a> or 
mailed to VA Privacy Service, 810 Vermont Avenue NW, (005R1A), 
Washington, DC 20420. Comments should indicate that they are submitted 
in response to ``Gulf War Registry--VA'' (93VA131). Comments received 
will be available at <a href="http://regulations.gov">regulations.gov</a> for public viewing, inspection or 
copies.

FOR FURTHER INFORMATION CONTACT: Stephania Griffin, Veterans Health 
Administration (VHA) Privacy Officer, Department of Veterans Affairs, 
810 Vermont Avenue NW, Washington, DC 20420; telephone (704) 245-2492 
(Note: this is not a toll-free number).

SUPPLEMENTARY INFORMATION: The System Number is being updated from 
93VA131 to 93VA10 to reflect the current VHA organizational routing 
symbol.
    The System Location is being updated to replace Austin Automation 
Center (AAC) with Austin Information Technology Center (AITC) and to 
reflect electronic records being moved to contracted data repository 
sites, such as the Cerner Technology Centers (CTC): Primary Data Center 
in Kansas City, MO and Continuity of Operations/Disaster Recovery 
(COOP/DR) Data Center in Lee Summit, MO, in the future. Environmental 
Agents Service (131) is being replaced with Post Deployment Health 
Services (12POP5). Also, since optic readers, paper, or disk copies are 
no longer used or maintained, this section is being updated to remove, 
``The secure web-based data entry system is maintained by the AAC and 
provides retrievable images to users. The optical disk system is 
currently being utilized where there is no access to the secure web-
based system. However, the optical disk system is scheduled to be 
discontinued in 2004. Images of code sheets are accessible in the web-
based data entry system.''
    The System Manager, Record Access Procedures, and Notification 
Procedure are being updated to replace, ``Program Chief for Clinical 
Matters, Office of Public Health and Environmental Hazards (13) (for 
clinical issues) and Management/Program Analyst, Environmental Agents 
Service (131) (for administrative issues)'' with Deputy Chief 
Consultant, Post Deployment Health Services (12POP5). Telephone number 
202-266-4511 (this is not a toll-free number).
    Authority for Maintenance of the System is being amended to replace 
``Title 38, United States Code (U.S.C.) 1710(e)(1)(B) and 1720E'' with 
Title 38 U.S.C. 1117, Public Laws 102-585 and 100-687.
    Categories of Records in the System is being amended to remove 
``Similar responses for spouse and children of Gulf War Veterans 
examined by non-VA physicians are contained in the records''.
    The Routine Uses of Records Maintained in the System is being 
updated to replace Joint Commission for Accreditation of Healthcare 
Organizations (JCAHO) to The Joint Commission in Routine use #8.
    The language in Routine Use #9 is being updated. It previously 
stated that disclosure of the records to the Department of Justice 
(DoJ) is a use of the information contained in the records that is 
compatible with the purpose for which VA collected the records and that 
VA may disclose records in this system of records in legal proceedings 
before a court or administrative body after determining that the 
disclosure of the records to the court or administrative body is a use 
of the information contained in the records that is compatible with the 
purpose for which VA collected the records. This routine use will now 
state that VA may disclose information to the Department of Justice 
(DoJ), or in a proceeding before a court, adjudicative body, or other 
administrative body before which VA is authorized to appear, when:
    (a) VA or any component thereof;
    (b) Any VA employee in his or her official capacity;
    (c) Any VA employee in his or her official capacity where DoJ has 
agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to affect the agency or any of its components,

is a party to such proceedings or has an interest in such proceedings, 
and VA determines that use of such records is relevant and necessary to 
the proceedings, provided, however, that in each case VA determines the 
disclosure is compatible with the purpose for which the records were 
collected. If the disclosure is in response to a subpoena, summons, 
investigative demand, or similar legal process, the request must meet 
the requirements for a qualifying law enforcement request under the 
Privacy Act, 5 U.S.C. 552a(b)(7), or an order from a court of competent 
jurisdiction under 552a(b)(11).
    Routine Use #12 has been updated by clarifying the language to 
state, ``VA may disclose any information or records to appropriate 
agencies, entities, and persons when (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk to individuals, VA (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, or 
persons is reasonably necessary to assist in connection with VA efforts 
to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.''
    Routine use #13 is being added to state, ``VA may disclose 
information from this system of records to another Federal agency or 
Federal entity, when VA determines that information from this system of 
records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.''
    Policies and Practices for Storage of Records is updated to remove 
``In 2003, the data collection process moved to a secure web-based 
system. Data previously recorded manually and converted to electronic 
format is now input through the secure VA Intranet system. Data is 
stored on a web server hosted by the AAC and is retrievable by the 
facility. Three levels of access are

[[Page 52548]]

provided for the data that is input, using password security linked to 
the AAC Top Secret Security system, with mandated changes every 90 
days. Data from individual facilities is uploaded nightly and stored on 
Direct Access Storage Devices at the AAC, Austin, Texas, and on optical 
disks at VA Central Office, Washington, DC. AAC stores registry tapes 
for disaster back up at an off-site location. VA Central Office also 
has back-up optical disks stored off-site. In addition to electronic 
data, registry reports are maintained on paper documents and 
microfiche. The optical disk system is currently being utilized where 
there is no access to the secure web-based system. The optical disk 
system is scheduled to be discontinued in 2004 and all access to the 
GWR system will be through the secure web-based data entry system. 
Records will be maintained and disposed of in accordance with records 
disposition authority approved by the Archivist of the United States.'' 
This section is updated to state that all registry data is stored 
electronically in the registry database.
    Policies and Practices for Retention and Disposal of Records is 
being updated to remove ``Records will be maintained and disposed of in 
accordance with records disposition authority approved by the Archivist 
of the United States''. This section is updated to state that Records 
are scheduled in accordance with RCS 10-1, 1202.1e, permanent 
disposition; cutoff at the end of calendar year. Records are 
transferred to NARA in 5-year blocks 1 year after the cutoff of the 
most recent records in the block. (N1-015-00-2, item 2e).
    The Physical, Procedural and Administrative Safeguards section is 
being updated to remove, ``Data is securely located behind the VA 
firewall and only accessible from the VA Local Area Network (LAN) 
through the VA Intranet. Read access to the data is granted through a 
telecommunications network to authorized VA Central Office personnel. 
AAC reports are also accessible through a telecommunications network on 
a read-only basis to the owner (VA facility) of the data. Access is 
limited to authorized employees by individually unique access codes 
which are changed periodically. Physical access to the AAC is generally 
restricted to AAC staff, VA Central Office, custodial personnel, 
Federal Protective Service and authorized operational personnel through 
electronic locking devices. All other persons gaining access to the 
computer rooms are escorted. Backup records stored off-site for both 
the AAC and VA Central Office are safeguarded in secured storage areas. 
A disaster recovery plan is in place and system recovery is tested at 
an off-site facility in accordance with established schedules.'' This 
section is updated to state that there are multiple levels of security 
to ensure the confidentiality of all data stored within the GWR. The 
registry is stored on a password protected system located in a locked 
room. Registry application is web-based and accessible behind the VA 
firewall. Access to the facility is limited by PIV access, security 
card, metal scanners at the entrance, and security guards.
    The Report of Intent to Amend a System of Records Notice and an 
advance copy of the system notice have been sent to the appropriate 
Congressional committees and to the Director of the Office of 
Management and Budget (OMB) as required by 5 U.S.C. 552a(r) (Privacy 
Act) and guidelines issued by OMB (65 FR 77677), December 12, 2000.

Signing Authority

    The Senior Agency Official for Privacy, or designee, approved this 
document and authorized the undersigned to sign and submit the document 
to the Office of the Federal Register for publication electronically as 
an official document of the Department of Veterans Affairs. Dominic A. 
Cussatt, Acting Assistant Secretary of Information and Technology and 
Chief Information Officer, approved this document on August 5, 2021 for 
publication.

     Dated: September 16, 2021
Amy L. Rose,
Program Analyst, VA Privacy Service, Office of Information Security, 
Office of Information and Technology, Department of Veterans Affairs.
SYSTEM NAME
    Gulf War Registry--VA (93VA10)

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Character-based data from Gulf War Registry (GWR) Code Sheets are 
maintained in a registry data set at the Austin Information Technology 
Center (AITC), 1615 Woodward Street, Austin, Texas 78772 and may be 
maintained at contracted data repository sites, such as the Cerner 
Technology Centers (CTC): Primary Data Center in Kansas City, MO and 
Continuity of Operations/Disaster Recovery (COOP/DR) Data Center in Lee 
Summit, MO. Since the data set at the AITC is not all-inclusive, i.e., 
narratives, signatures, etc., noted on the code sheets are not entered 
into this system, images of the code sheets are maintained at the 
Department of Veterans Affairs, Post Deployment Health Services 
(12POP5), 810 Vermont Avenue NW, Washington, DC 20420. These are 
electronic images of paper records, i.e., code sheets, medical records, 
questionnaires and correspondence.

SYSTEM MANAGER(S):
    Deputy Chief Consultant, Post Deployment Health Services (12POP5). 
VA Central Office, 810 Vermont Avenue NW, Washington, DC 20420. 
Telephone number 202-266-4511 (this is not a toll-free number).

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, United States Code (U.S.C.) 1117, Public Laws 102-585 and 
100-687.

PURPOSE(S) OF THE SYSTEM:
    The records will be used for the purpose of providing information 
about: Veterans who have had a GWR examination at a VA medical facility 
and their spouses and/or children who have had examinations by VA or 
non-VA clinicians to assist in generating hypotheses for research 
studies; providing management with the capability to track patient 
demographics; reporting birth defects among Veterans' children and 
grandchildren; planning the delivery of health care services and 
associated cost; and assisting in the adjudication of claims possibly 
related to exposure to a toxic substance or environmental hazard.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Veterans who may have been exposed to toxic substances or 
environmental hazard while serving in the Southwest Theatre of 
Operations during the Gulf War from August 2, 1990, until such time as 
Congress by law ends the Gulf War, and have had a Gulf War Registry 
(GWR) examination at a VA medical facility. Also, a spouse or child 
suffering from an illness or disorder (including birth defects, 
miscarriages, or stillbirth), which cannot be disassociated from the 
Veteran's service in the Southwest Asia Theatre of Operations and who 
has had a GWR examination performed by a VA or non-VA clinician.

CATEGORIES OF RECORDS IN THE SYSTEM:
    These records consist of code sheet records recording VA facility 
code identifier where Veteran was examined or treated; Veteran's name; 
address; Social Security number; date of birth; race/ethnicity; marital 
status; sex;

[[Page 52549]]

branch of service; periods of service; hospital status, i.e., 
inpatient; outpatient; areas of service in the Gulf War Theatre of 
Operations; list of military units where Veteran served; military 
occupation specialty; names of units in which Veteran served; Veteran's 
reported exposure to environmental factors; any traumatic experiences 
while in the Gulf War; Veteran's self-assessment of health; Veteran's 
functional impairment; report of birth defects and infant death(s) 
among Veteran's children and/or problems with pregnancy and 
infertility; date of registry examination; Veteran's complaints/
symptoms; consultations; diagnoses; disposition (hospitalized, referred 
for outpatient treatment, etc.); whether Veteran had an unexplained 
illness and had further tests and consultations and diagnoses as part 
of a Phase II, Uniform Case Assessment Examination; and name and 
signature of examiner/clinician coordinator, when provided.
    Another category of data entry is obtained from depleted uranium 
(DU) questionnaires, a supplement to the Gulf War code sheet. The data 
entries may contain the facility identifier where the information was 
completed; demographic information (name and Social Security number); 
daytime and evening phone numbers; date of questionnaire completion; 
date of arrival in and departure from the Gulf War Theatre of 
Operations; source of referral to VA medical center for evaluation; 
where Veteran served (i.e., Iraq, Kuwait, Saudi Arabia, the neutral 
zone [between Iraq and Saudi Arabia], Bahrain, Qatar, the United Arab 
Emirates, Oman, Gulf of Aden, Gulf of Oman and the Waters of the 
Persian Gulf, Arabian Sea and Red Sea); capacity in which Veteran 
served; questions relating to potential inhalation exposures to DU 
including those on, in, or near vehicles hit with friendly fire or 
enemy fire, entering burning vehicles, individuals near fires involving 
DU munitions, individuals salvaging damaged vehicles, and those near 
burning vehicles; whether Veteran was wounded, retained DU fragments in 
Veteran's body, handled DU penetrator rounds or any other exposures to 
DU; whether a 24-hour urine collection for uranium was performed; name, 
title and signature of examiner/environmental health clinician, when 
provided, and results of urine uranium tests, expressed per microgram 
per gram creatinine.

RECORD SOURCE CATEGORIES:
    VA patient medical records, various automated record systems 
providing clinical and managerial support to VA health care facilities, 
Veteran, family members, and records from Veterans Benefits 
Administration, Department of Defense, Department of the Army, 
Department of the Air Force, Department of the Navy and other Federal 
agencies.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    To the extent that records contained in the system include 
information protected by 45 CFR parts 160 and 164, i.e., individually 
identifiable health information of VHA or any of its business 
associates, and 38 U.S.C. 7332; i.e., medical treatment information 
related to drug abuse, alcoholism or alcohol abuse, sickle cell anemia, 
or infection with the human immunodeficiency virus, that information 
cannot be disclosed under a routine use unless there is also specific 
statutory authority in both 38 U.S.C. 7332 and CFR parts 160 and 164 
permitting disclosure.
    1. VA may disclose information to a Member of Congress or staff 
acting upon the Member's behalf when the Member or staff requests the 
information on behalf of, and at the request of, the individual who is 
the subject of the record.
    2. VA may disclose information relevant to a claim of a Veteran or 
beneficiary, such as the name, address, the basis and nature of a 
claim, amount of benefit payment information, medical information, and 
military service and active duty separation information, only at the 
request of the claimant to accredited service organizations, VA-
approved claim agents, and attorneys acting under a declaration of 
representation, so that these individuals can aid claimants in the 
preparation, presentation, and prosecution of claims under the laws 
administered by VA.
    3. VA may disclose the names and address(es) of present or former 
members of the armed services or their beneficiaries: (1) To a 
nonprofit organization if the release is directly connected with the 
conduct of programs and the utilization of benefits under Title 38, and 
(2) to any criminal or civil law enforcement governmental agency or 
instrumentality charged under applicable law with the protection of the 
public health or safety, if a qualified representative of such 
organization, agency, or instrumentality has made a written request 
that such names or addresses be provided for a purpose authorized by 
law; provided that the records will not be used for any purpose other 
than that stated in the request and that organization, agency, or 
instrumentality is aware of the penalty provision of 38 U.S.C. 5701(f).
    4. VA may disclose information to National Archives and Records 
Administration (NARA) in records management inspections conducted under 
44 U.S.C. 2904 and 2906, or other functions authorized by laws and 
policies governing NARA operations and VA records management 
responsibilities.
    5. VA may disclose information from this system to epidemiological 
and other research facilities approved by the Under Secretary for 
Health for research purposes determined to be necessary and proper, 
provided that the names and addresses of Veterans and their dependents 
will not be disclosed unless those names and addresses are first 
provided to VA by the facilities making the request.
    6. VA may disclose information to a Federal agency for the purpose 
of conducting research and data analysis to perform a statutory purpose 
of that Federal agency upon the prior written request of that agency.
    7. VA may disclose information that, either alone or in conjunction 
with other information, indicates a violation or potential violation of 
law, whether civil, criminal, or regulatory in nature, to a Federal, 
state, local, territorial, tribal, or foreign law enforcement authority 
or other appropriate entity charged with the responsibility of 
investigating or prosecuting such violation or charged with enforcing 
or implementing such law. The disclosure of the names and addresses of 
Veterans and their dependents from VA records under this routine use 
must also comply with the provisions of 38 U.S.C. 5701.
    8. VA may disclose information to survey teams of The Joint 
Commission, College of American Pathologists, American Association of 
Blood Banks, and similar national accreditation agencies or boards with 
which VA has a contract or agreement to conduct such reviews, as 
relevant and necessary for the purpose of program review or the seeking 
of accreditation or certification.
    9. VA may disclose information to the Department of Justice (DoJ), 
or in a proceeding before a court, adjudicative body, or other 
administrative body before which VA is authorized to appear, when:
    (a) VA or any component thereof;
    (b) Any VA employee in his or her official capacity;
    (c) Any VA employee in his or her official capacity where DoJ has 
agreed to represent the employee; or
    (d) The United States, where VA determines that litigation is 
likely to

[[Page 52550]]

affect the agency or any of its components,

    is a party to such proceedings or has an interest in such 
proceedings, and VA determines that use of such records is relevant and 
necessary to the proceedings.
    11. VA may disclose to other Federal agencies to assist such 
agencies in preventing and detecting possible fraud or abuse by 
individuals in their operations and programs.
    12. VA may disclose any information or records to appropriate 
agencies, entities, and persons when (1) VA suspects or has confirmed 
that there has been a breach of the system of records; (2) VA has 
determined that as a result of the suspected or confirmed breach there 
is a risk to individuals, VA (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, or 
persons is reasonably necessary to assist in connection with VA efforts 
to respond to the suspected or confirmed breach or to prevent, 
minimize, or remedy such harm.
    13. VA may disclose information from this system to another Federal 
agency or Federal entity, when VA determines that information from this 
system of records is reasonably necessary to assist the recipient 
agency or entity in (1) responding to a suspected or confirmed breach 
or (2) preventing, minimizing, or remedying the risk of harm to 
individuals, the recipient agency or entity (including its information 
systems, programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    All registry data is stored electronically in the registry 
database.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are indexed by name of Veteran and Social Security number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records are scheduled in accordance with RCS 10-1, 1202.1e, 
permanent disposition; cutoff at the end of calendar year. Records are 
transferred to NARA in 5-year blocks 1 year after the cutoff of the 
most recent records in the block. (N1-015-00-2, item 2e)

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Access to electronic and paper records at VA Central Office is only 
authorized to VA personnel on a ``need to know'' basis. Records are 
maintained in manned rooms during working hours. During non-working 
hours, there is limited access to the building with visitor control by 
security personnel. Registry data maintained at the AITC can only be 
updated by authorized AITC personnel.
    There are multiple levels of security to ensure the confidentiality 
of all data stored within the GWR. The registry is stored on a password 
protected system located in a locked room. Registry application is web-
based and accessible behind the VA firewall. Access to the facility is 
limited by Personal Identity Verification (PIV) access, security card, 
metal scanners at the entrance, and security guards.

RECORD ACCESS PROCEDURE:
    An individual who seeks access to records maintained under his or 
her name may write or visit the nearest VA medical facility or write to 
the Deputy Chief Consultant, Post Deployment Health Services (12POP5), 
VA Central Office, 810 Vermont Avenue NW, Washington, DC 20420.

CONTESTING RECORD PROCEDURES:
    (See Record Access Procedures above.)

NOTIFICATION PROCEDURE:
    An individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to determine the contents of such record, should 
submit a written request or apply in person to the last VA medical 
facility where medical care was provided or submit a written request to 
the Deputy Chief Consultant, Post Deployment Health Services (12POP5), 
VA Central Office, 810 Vermont Avenue NW, Washington, DC 20420. 
Inquiries should include the Veteran's name, Social Security number, 
service serial number, and return address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    Last full publication provided in 69 FR 2962.
[FR Doc. 2021-20361 Filed 9-20-21; 8:45 am]
BILLING CODE;P


</pre></body>
</html>